Pen Test vs. Health Check

From: Andy Cuff (lists@securitywizardry.com)
Date: Sun Jan 25 2004 - 10:38:43 EST


Hi Folks,
Last week Mark Teicher brought up a valid point regarding ethical
hacking not solving the underlying issue of an insecure network.
Addressing the symptom rather than the cause.

I personally don't like the term ethical hacking when referring to a Pen
Test, however as you probably noticed think, the term will remain where
training is concerned that introduces the student to the techniques and
methodology used by a hacker. I do not think that an ethical hacking
course will make a security tester. OK, no more about training, honest!

A Pen Test is only as good as the testers and is only a snapshot.
However, a network that has been secured from the inside out, with a
solid secure foundation should stand the test of time, even if it is
compromised the attacker may not be able to roam freely and all their
actions should be recorded.

IMHO a more efficient and thorough method to conduct a security test is the
holistic approach, where the tester looks inside the network first from a
privileged account, identifying
problems and offering solutions, if need be, he/she can then attempt to
exploit said vulnerabilities as a demonstration to the client. This method
greatly cuts down on the time taken to "scope the joint"
externally.

Firstly, what are the members thoughts on the above, and what are the
downsides in what I have said. Also, does anyone have any good
analogies to vindicate the holistic approach over the Pen Test?

-andy

Talisker Security Tools Directory
http://www.securitywizardry.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT